Inspect the Unexpected with Encrypted Web Traffic

Inspecting Encrypted Web Traffic Effectively with High-Performing WatchGuard Firebox Appliances

The Importance of Inspecting Encrypted Traffic

Traditional firewalls are unable to inspect encrypted traffic effectively, leaving you vulnerable to attacks. Based on a Radware survey, a staggering amount – 48% of security professionals – were unsure about whether they can defend against an SSL-based attack.

To begin inspecting SSL-encrypted traffic, both inbound and outbound traffic must be decrypted before inspection. Directly after, that traffic must be re-encrypted. This process happens within seconds and leaves room for exposure, especially if your security architecture is already at risk for an attack.

Gaps in Your Security

With more and more organizations moving to encrypted web traffic, the vulnerability that the encryption process presents is also one of the biggest performance drains on your firewall. By and large, it’s an amplification effect – an SSL-based attack requires 15 times more resources from the server side than the client side. Therefore, implementing a security solution that defends against an SSL-based attack is critical, but the solution must able to keep up with the performance requirements of your organization.

Malware Hides in SSL Traffic

An SSL-based attack, or any other cyber security attack for that matter, is damaging to all organizations. It is important to understand the risks involved and how easy malware can creep into SSL traffic.

Some devices either inspect inbound or outbound traffic. An effective security solution should be able to inspect both. In many instances, inbound traffic can refer to how malware attacks communicate with command and control (C&C) servers through SSL.

These C&C servers often will give instructions for the next phase of the attack. Some of those phases are the exfiltration of data (outbound traffic) or even the introduction of malware payloads that cause more harm. As a result, all of these would appear hidden because SSL encryption disguises that traffic, making data theft possible.

Keep in mind though, not all encrypted traffic should be inspected. There are exceptions, especially those outlined in PCI DSS. PCI mandates that all cardholder information remain encrypted from end to end in order to maintain confidentiality of financial transactions. In this case, it’s a good rule of thumb that all the traffic that flows through a point-of-sale (POS) terminal remains encrypted.

Concerns of Performance

In the inspection process, decrypting traffic on a traditional firewall reduces the appliance’s performance, often by more than 80%. There is no question that this degradation will reflect on the user experience and employee productivity.

Any vendor can do SSL inspection, but not all can maintain the necessary performance levels your businesses requires. Additionally, as security services are applied, performance degrades. Essentially, most vendors make you choose between security and performance.

To reap the full benefits, dedicated SSL tools should be incorporated into an integrated platform. Furthermore, they should be able to share critical information, correlate data to detect new threats and respond to the most distributed attacks.

HTTPS Efficiency with WatchGuard

WatchGuard understands the importance of inspecting traffic. That’s why our Firebox products are designed to handle traffic with high performance even when all security services are activated. It’s at the core of our product design.

This sets us apart from others because while other competitors might be able to scan the traffic, the performance suddenly drops when adding security services, and particularly when inspecting encrypted traffic.

What’s more, we offer whitelist and blacklist categories that predetermine if some types of traffic are automatically safe or should always be blocked – further improving performance because you’re not decrypting more traffic than you should.

Based on verified Miercom reports below, WatchGuard is the vendor, out of all competitors tested, that had the highest performance when all security services were enabled for HTTPS traffic. In fact, our appliances perform at nearly three times the throughput of our closest competitor.